Tech

$700 Hack Threatens Millions of Yahoo Mail Users

A new exploit being sold for $700 may put tens of millions of Yahoo Mail users at risk.

Once victims click on a malicious email link, the exploit allows an attacker to steal and replace tracking cookies, while remotely controlling the victims' browsing sessions.

"After the victim clicks the link, he will be redirected to the email page again," a demonstration video for the hack explained. "And you can redirect him to wherever you want."

According to Yahoo, fixing the exploit won't be nearly as difficult as finding it. That's because it's an XSS flaw set off by a URL, a hole that can easily be patched, but hard to locate.

"Fixing it is easy," Ramses Martinez, Yahoo director of security, told computer security writer Brian Krebs. "Once we figure out the offending URL, we can have new code deployed in a few hours."

The exploit is being sold by an Egyptian hacker who goes by "TheHell" and who's taken measures to make sure the patch happens later, rather than sooner.

"While I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!" TheHell wrote. What's more, "you don't need to bypass IE or Chrome xss filter," he explained.

Krebs pointed out that if Yahoo paid hackers to report bugs to the company rather than selling them to criminals, as some companies do, it might have been worth TheHell's while to turn it in. If the vulnerability had been Google's they would have purchased it for $1,337.

When opening emails, users should approach links with skepticism and be especially wary of any links that come from unexpected or unknown sources.

The Open Web Security Project lists XSS flaws like this among its Top 10 Application Security Risks.

What's Hot

More in Tech

What's New

What's Rising

What's Hot

Mashable
is a leading global media company that informs, inspires and entertains the digital generation. Mashable is redefining storytelling by documenting and shaping the digital revolution in a new voice, new formats and cutting-edge technologies to a uniquely dedicated audience of 42 million monthly unique visitors and 24 million social followers.